PIPC Takes Action Against CLASSU & KT alpha for Data Breaches, Urges Stronger Privacy Safeguards

Key Takeaways

• CLASSU’s Data Breach: CLASSU was fined for weak security measures that led to the exposure of personal data for over 1.6 million users, along with delayed breach reporting.
• KT alpha’s Credential Stuffing Attack: KT alpha received penalties for not adequately safeguarding against credential stuffing attacks that exposed data for 51 users, despite login attempts targeting over 98,000 accounts.
• The PIPC’s Strong Stance: The PIPC is urging businesses to implement stronger safeguards such as access controls, anomaly detection, and data masking to minimize potential damage from breaches.

Deep Dive

The Personal Information Protection Commission (PIPC) has stepped up its enforcement efforts, issuing penalties to two companies, CLASSU Inc. and KT alpha—following serious data protection failures. This action demonstrates a significant move in South Korea's ongoing battle to enforce privacy laws and push companies toward better safeguarding their users' data.

It all started with a hacker gaining access to a database administrator account. From August 2023 to July 2024, over 1.6 million users’ personal data was exposed due to CLASSU’s weak security protocols. While the exact method the hacker used to break in remains unknown, the investigation revealed a major vulnerability: CLASSU had stored sensitive database credentials on an open platform for developers. This blunder likely provided the perfect entry point for the breach.

But the problems didn’t end there. The PIPC found that CLASSU failed to put the necessary privacy safeguards in place. Critical access controls were either missing or poorly implemented, and sensitive data like resident registration numbers and account details were stored without encryption. To make matters worse, CLASSU took its sweet time reporting the breach, well beyond the 72-hour window mandated by PIPA.

The result? A fine of KRW 53.6 million for violations and an additional KRW 7.2 million for wrongful practices. Although CLASSU’s financial position led to a penalty reduction of up to 90%, the company has now been ordered to overhaul its security practices. The PIPC will keep a watchful eye on CLASSU to ensure that these corrective measures are swiftly and effectively implemented.

KT alpha: A Cautionary Tale on Credential Stuffing

Next up is KT alpha, the company behind the Giftishow platform, which found itself on the receiving end of a credential stuffing attack. Between January and February 2023, hackers used stolen login details to attempt over 5.4 million logins, eventually taking over nearly 100,000 accounts. While the damage was contained somewhat by KT alpha’s decision to mask personal information on its website, 51 users still had their sensitive data exposed.

The issue? KT alpha didn’t take sufficient precautions against this type of attack, leaving its login system vulnerable to a surge in automated login attempts. Despite being aware of the breach, the company delayed reporting it to the authorities, further compounding its violation of PIPA’s breach notification requirements.

As a result, KT alpha faced a fine of KRW 4.91 million for the violation and KRW 6.9 million for its negligence. However, the company did take some early steps to mitigate the breach's impact by masking personal data, which likely helped limit the scope of the damage.

PIPC’s Key Message

These two cases should serve as a wake-up call for businesses across South Korea and beyond. With hackers constantly evolving their tactics, companies need to step up their data protection measures, and quickly. The PIPC’s decision highlights the importance of adopting strong access control, using intrusion detection systems, and being proactive when it comes to reporting breaches. After all, a delay in reporting could be the difference between containing a breach and letting it spiral out of control.

Moreover, the Commission stressed the importance of using practical measures like data masking to prevent unauthorized access to sensitive information. This tactic can significantly reduce the damage in case a breach does occur.

For both CLASSU and KT alpha, this isn’t just about paying fines, it’s about proving that they can learn from their mistakes and make meaningful changes. The PIPC is clear that there’s no room for complacency when it comes to personal data. Businesses need to protect their users' information as if it were their own.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.